Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 17 Mar 2012 06:18:20 +0400
From: Solar Designer <>
Subject: [openwall-announce] pwgen common password lists


The Openwall wordlists collection (paid, full) now comes with a bonus -
two lists of passwords commonly generated by pwgen 2.06 with default
settings for output to a tty and non-tty.  These contain 44 and 45.5
million entries and they crack 21% and 75% of passwords of the
corresponding kind - for tty and non-tty, respectively.  pwgen is a
fairly popular command-line password generator program for Unix systems.
It is part e.g. of Debian and Ubuntu.

The unfortunate property of pwgen that made this possible (non-uniform
distribution and small keyspace of its generated passwords) was
discussed on oss-security and Bugtraq in January:

and on john-users in 2010.

Part of the problem (small keyspace, but not non-uniform distribution)
was publicly known since 2004 (if not earlier):

(The fix was to document the problem...)

Our wordlists with the pwgen bonus may be purchased here:

Those of you who would rather not support us may obtain almost all of
the same wordlists (but not the pwgen bonus yet) from /pub/wordlists in
our file archive and its mirrors:

And indeed anyone (with some shell scripting skills or the like) can
generate similar pwgen lists in a couple of days, which actually makes
me more comfortable about using ours as a way to encourage people and
companies to support our project financially. ;-)

Speaking of alternatives to pwgen, our own pwqgen (from our passwdqc
package) has been tested for (lack of) a similar issue:


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ